Skip to content
instafront
Connect Instagram

Legal

Data Processing Addendum

Effective April 14, 2026

This Data Processing Addendum ("DPA") supplements the Instafront Terms of Service. It applies when, and only to the extent that, Instafront processes personal data on your behalf as a data processor within the meaning of the EU General Data Protection Regulation ("GDPR") or equivalent law.

For most Instafront customers (small businesses publishing their own Instagram content on a site we generate), Instafront primarily acts as a data controller for account-level data, and as a data processor only for any personal data of your own visitors or customers that passes through Instafront (for example, contact-form submissions, if we add that feature). If you need a signed copy for your records, email legal@instafront.app.

1. Definitions

Terms like "personal data," "data subject," "processing," "controller," and "processor" have the meanings given to them in the GDPR. "Customer Data" means personal data that Instafront processes on behalf of the Customer.

2. Roles

The Customer is the controller of Customer Data. Instafront is a processor acting on the Customer's documented instructions, which are given through (a) the Terms of Service, (b) configuration you set inside Instafront, and (c) any written instructions you send us that we accept.

3. Scope & purpose

Instafront processes Customer Data only to:

  • Provide and maintain the service described in our Terms.
  • Respond to support requests from you.
  • Comply with legal obligations.

4. Subject matter and nature of processing

  • Subject matter. Hosting, transforming, and publishing personal data contained in Instagram content you connect, plus any personal data of your visitors that reaches Instafront through features you use.
  • Duration. For as long as you have an account, plus applicable retention windows.
  • Categories of data subjects. You, your Instagram audience whose likenesses or names appear in your posts, and any visitors to your site whose data you collect through Instafront features.
  • Categories of personal data. Names, images, captions, contact details (where you've included them publicly), IP addresses of site visitors (aggregated, not retained individually by our analytics provider).

5. Subprocessors

You authorize Instafront to engage the subprocessors listed at /subprocessors, each of which is bound by written terms consistent with this DPA. We will give at least 30 days' notice before adding or replacing a subprocessor so you can object. If you object on reasonable grounds and we can't offer an alternative, you may terminate the affected part of the service.

6. International transfers

Where personal data leaves the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (2021/914), the UK International Data Transfer Addendum where applicable, and supplementary measures as required. The EU-U.S. Data Privacy Framework is used where it applies.

7. Security

Instafront maintains technical and organizational measures appropriate to the risk, including:

  • TLS 1.2+ for data in transit and encryption at rest for stored personal data.
  • Per-row encryption of Instagram access tokens.
  • Least-privilege access, logged and reviewed.
  • Secret management via a hosted secret store, rotated on personnel change.
  • Error redaction before PII reaches our observability pipeline.
  • Annual review of the measures in this section.

8. Personnel & confidentiality

Any person authorized by Instafront to process Customer Data is bound by confidentiality either by contract or statute.

9. Data subject requests

Dashboard export and deletion tools let you resolve most requests yourself without contacting us. Where assistance is needed, Instafront will respond promptly to reasonable requests for help in meeting your obligations under GDPR Articles 15–22.

10. Breach notification

We will notify the Customer without undue delay and in any case within 72 hours of becoming aware of a personal data breach affecting Customer Data. Notification will include the information required under Article 33(3) GDPR to the extent known.

11. Audits

On reasonable notice, Instafront will make available information necessary to demonstrate compliance with this DPA and will contribute to audits conducted by the Customer or a mutually agreed third-party auditor, at the Customer's cost and limited to no more than once per twelve months except where required by a supervisory authority.

12. Return or deletion

On termination, we will delete Customer Data according to the retention schedule in our Privacy Policy, unless retention is required by law. An export is offered in advance of deletion and on request.

13. Liability & precedence

Liability under this DPA is subject to the limits in the Terms of Service. Where this DPA conflicts with the Terms with respect to the processing of personal data, this DPA prevails.

14. Contact

For DPA matters: legal@instafront.app.